Commit 3e0c1603 authored by Mark Andrews's avatar Mark Andrews

4286. [security] render_ecs errors were mishandled when printing out

                        a OPT record resulting in a assertion failure.
                        (CVE-2015-8705) [RT #41397]
parent fb17e1f9
4286. [security] render_ecs errors were mishandled when printing out
a OPT record resulting in a assertion failure.
(CVE-2015-8705) [RT #41397]
4285. [security] Specific APL data could trigger a INSIST.
(CVE-2015-8704) [RT #41396]
......
......@@ -24,8 +24,8 @@
</para>
<para>
BIND 9.10.3-P2 addresses the security issues described in
CVE-2015-3193 (OpenSSL), CVE-2015-8000, CVE-2015-8461 and
CVE-2015-8704.
CVE-2015-3193 (OpenSSL), CVE-2015-8000, CVE-2015-8461,
CVE-2015-8704 and CVE-2015-8705.
</para>
<para>
BIND 9.10.3-P1 was incomplete and was withdrawn prior to publication.
......@@ -73,6 +73,14 @@
by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396]
</para>
</listitem>
<listitem>
<para>
render_ecs errors when printing out a OPT record were
mishandled resulting in a assertion failure. This flaw
was discovered by Brian Mitchell and is disclosed in
CVE-2015-8705. [RT #41396]
</para>
</listitem>
</itemizedlist>
</sect2>
<sect2 id="relnotes_features">
......
......@@ -3245,7 +3245,7 @@ dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
}
static isc_result_t
render_ecs(isc_buffer_t *optbuf, isc_buffer_t *target) {
render_ecs(isc_buffer_t *ecsbuf, isc_buffer_t *target) {
int i;
char addr[16], addr_text[64];
isc_uint16_t family;
......@@ -3255,20 +3255,20 @@ render_ecs(isc_buffer_t *optbuf, isc_buffer_t *target) {
* Note: This routine needs to handle malformed ECS options.
*/
if (isc_buffer_remaininglength(optbuf) < 4)
if (isc_buffer_remaininglength(ecsbuf) < 4)
return (DNS_R_OPTERR);
family = isc_buffer_getuint16(optbuf);
addrlen = isc_buffer_getuint8(optbuf);
scopelen = isc_buffer_getuint8(optbuf);
family = isc_buffer_getuint16(ecsbuf);
addrlen = isc_buffer_getuint8(ecsbuf);
scopelen = isc_buffer_getuint8(ecsbuf);
addrbytes = (addrlen + 7) / 8;
if (isc_buffer_remaininglength(optbuf) < addrbytes)
if (isc_buffer_remaininglength(ecsbuf) < addrbytes)
return (DNS_R_OPTERR);
ADD_STRING(target, ": ");
memset(addr, 0, sizeof(addr));
for (i = 0; i < addrbytes; i ++)
addr[i] = isc_buffer_getuint8(optbuf);
addr[i] = isc_buffer_getuint8(ecsbuf);
if (family == 1)
inet_ntop(AF_INET, addr, addr_text, sizeof(addr_text));
......@@ -3361,9 +3361,18 @@ dns_message_pseudosectiontotext(dns_message_t *msg,
} else if (optcode == DNS_OPT_COOKIE) {
ADD_STRING(target, "; COOKIE");
} else if (optcode == DNS_OPT_CLIENT_SUBNET) {
isc_buffer_t ecsbuf;
ADD_STRING(target, "; CLIENT-SUBNET");
result = render_ecs(&optbuf, target);
isc_buffer_init(&ecsbuf,
isc_buffer_current(&optbuf),
optlen);
isc_buffer_add(&ecsbuf, optlen);
result = render_ecs(&ecsbuf, target);
if (result == ISC_R_NOSPACE)
return (result);
if (result == ISC_R_SUCCESS) {
isc_buffer_forward(&optbuf, optlen);
ADD_STRING(target, "\n");
continue;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment